<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
	<title>Chapter09 - Programmatic Security</title>
</head>

<body>
<center><h3> Chapter 09 - Developing secure web applications (Programmatic Approach) </h3></center>
This web application shows how to fine tune the security aspects of a web application using the programmatic approach on top of the declarative approach.<br> Here,
the servlet code uses the security related methods (ServletRequest.getRemoteUser() and ServletRequest.isUserInRole() ) to determine the output of the page.
We still need to define the security constraints in the web.xml as explained in <a href="/chapter09-declarative">chapter09-declarative</a> web application.
<br>
<br>



Note: To be able run this web application, you should have the user names and passwords configured in the tomcat-users.xml file 
as explained in section 9.2.5. For your convenience, we are giving sample values for this file. 
You can copy the following contents into conf/tomcat-users.xml:<br>
<pre>
&lt;tomcat-users&gt;
  &lt;user name="tomcat" password="tomcat" roles="tomcat" /&gt;
  &lt;user name="role1"  password="tomcat" roles="role1"  /&gt;
  &lt;user name="both"   password="tomcat" roles="tomcat,role1" /&gt;

  &lt;user name="john"   password="jjj" roles="employee" /&gt;
  &lt;user name="mary"   password="mmm" roles="employee" /&gt;
  &lt;user name="bob"   password="bbb" roles="employee, supervisor" /&gt;

&lt;/tomcat-users&gt;

</pre>



<ol>

<li>This web application contains only one servlet named ProgramaticSecureServlet. All employees can make a GET request
to this servlet and all employees are treated equally. To send a GET request, click 
<a href="/chapter09-programmatic/servlet/ProgramaticSecureServlet">on this hyperlink.</a><br> 
&nbsp;
<li>For POST requests, the servlet generates different responses for managers and non-managers. 
To make a POST request, submit the form present on <a href="/chapter09-programmatic/posttest.html">this</a> page. 
The container will send the login page. If you enter a manager's username/password ( for example, bob/bbb ), 
you'll get the manager's page. If you enter a non-manager's username/password ( for example, john/jjj ), 
you'll get the employee's page.
<br>Observe the web.xml for this web application carefully.
<br> The code for the doPost() method of the servlet is as follows:<br>
<pre>
public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException 
{
	PrintWriter pw = res.getWriter();
	
	System.out.println("remote user="+req.getRemoteUser());
	System.out.println("user principal="+req.getUserPrincipal());
	System.out.println("req.isUserInRole(\"manager\") = "+req.isUserInRole("manager"));
	
	pw.println("&lt;html&gt;&lt;head&gt;");
	pw.println("&lt;title&gt;Programatic Security Example&lt;/title&gt;");
	pw.println("&lt;/head&gt;");
	pw.println("&lt;body&gt;");

	<b>String username = req.getRemoteUser();</b>
	
	if(username != null) pw.println("&lt;h4&gt;Welcome, "+username+"!&lt;/h4&gt;");
	<b>
	if(req.isUserInRole("manager"))
	{
		pw.println("&lt;b&gt;Manager's Page!&lt;/b&gt;");
	}
	else
	{
		pw.println("&lt;b&gt;Employee's Page!&lt;/b&gt;");
	}
    </b>
	pw.println("&lt;/body&gt;&lt;/html&gt;");
	
}
</pre>
<p>
Observe that in the tomcat-users.xml, we've configured the role 'supervisor' but in the servlet code we are using 'manager' as the role name. This mapping is specified in the web.xml using the following code:<br>
<pre>
 &lt;servlet&gt;
  &lt;servlet-name&gt;ProgramaticSecureServlet&lt;/servlet-name&gt;
  &lt;servlet-class&gt;chapter9.ProgramaticSecureServlet&lt;/servlet-class&gt;
<b>  &lt;security-role-ref&gt;
    &lt;role-name&gt;manager&lt;/role-name&gt;
    &lt;role-link&gt;supervisor&lt;/role-link&gt;
  &lt;/security-role-ref&gt; </b>
 &lt;/servlet&gt;

</pre>
</ol>

</body>
</html>
